Compliance Toolkit

Spyware and the law

Simon Briskman and Mark Smith Olswang

Published: 04 Nov 2004 17:08 GMT

The second category of spyware we'll call "adware". This doesn’t have a malicious intent, but rather is designed to enhance the effectiveness of advertising targeted at the user or otherwise provide marketing information to a third party. Examples of this are applications that facilitate pop-up browser windows, redirect browser home pages and add favourite sites to browser lists.

Already, the definitions can be attacked. First, it is possible to find legitimate uses for mal-spyware. For example, covertly monitoring children’s Internet activity, remote administration of networked PCs are legitimate uses for software that could be used to serious criminal effect.

Second, in looking at adware, badly written software in this category could lead to security vulnerabilities and lead indirectly to a security compromise. The dividing line becomes blurred, particularly when some of the code in question may not even be an application.

Finally, there is a third category of software on the very edges of spyware. Specific functionality within legitimate applications may send data off remotely to third parties without users realising they have enabled this feature. One example of this was a feature of RealJukeBox software that sent music track details back to RealNetworks. Many applications (antivirus software being a good example) do contact remote hosts, but make it very clear to users what they are doing. This issue is outside the scope of this article, but there are other well-known examples suggesting this topic should not be ignored.

Outside the law?
Before looking at legislation to regulate spyware, it is worth considering the litigation on the fringes of this issue. First, lawsuits have been brought in the US by software developers who claim their products have been wrongly labelled as spyware. In the ecommerce arena, many on-line merchants are also threatening action because spyware can distort their ability to track where site visitors came from (which may have an impact on payment of commission to affiliates) and can be used to serve up competitive adverts and divert visitors from their sites.

The growing awareness of the scale of the problem, supported as usual by a tide of industry surveys, has led to calls for legislation to help users tackle the problem. As with many Internet issues, some of the best practical solutions are technical. However, because the problem affects many home users, who struggle to get to grips with basic antivirus precautions, let alone spyware, the law does have a role to play. At the time of writing, it is the US legislators that are making the headlines.

US legislation
There are currently three spyware pieces of legislation being developed at federal level in the US.

These are the Internet Spyware Prevention Act of 2004 (the "I-SPY Act"), the Securely Protect Yourself Against Cyber Trespass Act (the "SPY Act") and the snappily titled Software Principles Yielding Better Levels of Computer Knowledge Act (or "SPY BLOCK Act"). The purpose of these bills includes targeting the unauthorised installation of computer software (with a corresponding focus on disclosure of information to users) and protecting users from unknowing transmission of personal information over the Internet. It is likely there will be some consolidation of these bills.